Google Docs Phishing Email Follow Up

Share this:

On Wednesday May 3, a phishing email was sent to many Drake faculty, staff, and students, and was widely distributed across the internet, which appears to be an invitation to view a Google Doc. The "From" address may seem familiar to the recipient, however the "To" address is always hhhhhhhhhhhhhhhh@mailinator.com.

A button graphic uses Google's blue and white color scheme and font to imply that clicking will open a file in Google Docs. The recipient's address appears in the "Bcc:" field.

Example of the Google Docs phishing email:

If you see this email, the best advice is to delete or ignore it. If you already clicked the Open in Docs button, with either your Drake University or personal Google account, and accepted the permissions changes, go to https://myaccount.google.com/u/0/permissions?pli=1 and follow instructions to revoke permissions. The fake Google Docs app will have a Google Drive icon.

Because the message was so well crafted, Drake's email filtering system did not initially block access to the malicious website, however all links should now be blocked and prevent further access.

Google is aware of the issue and taking strong actions, including automatically finding and removing the fake Google Docs app from Google accounts.

Clicking the link ("Open in Docs" button) prompts the user to authenticate with their Google credentials and allows the user to grant permission to a new app that pretends to be Google Docs. If allowed, the app accesses the user's Contacts list and attempts to send phishing emails to all their contacts.

The user's Google credentials are not compromised by granting permission to the fake Google Docs app. Changing passwords is not necessary, although it's not a bad idea.